Infosecurity Europe Urges Procurement Teams to Address Security Risks Now

▼ Summary
– Only 8% of SSH servers globally support post-quantum cryptography (PQC), a rise of just two percentage points over the past year.
– 87% of business leaders expect quantum computing to disrupt their industry by 2030, but only 35% have made it a strategic priority.
– Harvest-now-decrypt-later (HNDL) attacks, where encrypted data is collected now for future decryption, are a documented and real threat.
– G7 guidance places PQC planning in 2028-29, coinciding with IBM’s timeline for a fault-tolerant quantum computer.
– The NSA warned of HNDL attacks in 2021, and evidence from Snowden leaks shows the US and adversaries are already collecting encrypted data.
Security leaders must push forward with post-quantum cryptography (PQC) transitions now, focusing on better inventory management, procurement practices, and crypto-agility, according to a top security expert speaking at Infosecurity Europe on June 3.
Rik Ferguson, vice president of security intelligence at Forescout, warned that only 8% of SSH servers worldwide currently support PQC , a mere two-point increase from last year. He framed the urgency not around the arrival of Q-day, but around preparedness. “The question is not ‘when does Q-day arrive?’” Ferguson said. “It’s ‘will we be ready when that moment comes? Will we at least have started the journey?’”
New research from EY this week shows that 87% of business leaders expect quantum computing to disrupt their industry by 2030. Yet only 35% have made it a strategic priority for the next five years, and 59% believe it won’t mature enough until 2030.
From a security standpoint, however, the countdown to cryptographically relevant quantum computers (CRQCs) has already begun. Ferguson noted that the NSA warned about harvest-now-decrypt-later (HNDL) attacks as far back as 2021. Citing evidence from the Snowden leaks, he argued that the US , and by extension, its adversaries , are already collecting encrypted data for future decryption.
The Muscular and Tempora programs, highly classified joint surveillance efforts between the UK and US, illustrate this capability. Ferguson also pointed to past incidents where massive internet traffic redirection through China suggests Beijing is engaged in similar activity. Ongoing efforts by Salt Typhoon may also involve stealing encrypted data for later decryption.
“Some of the things that cause the biggest problems are the things that you don’t hear or can’t see coming,” Ferguson said. While these HNDL schemes haven’t been confirmed, the “capability is documented and real,” he warned.
Although only long-lived data is at immediate risk from HNDL, Ferguson stressed that PQC planning must begin now. A G7 Cyber Expert Group roadmap from January echoed this call, but its timeline , covering strategy, inventory, planning, migration, testing, and monitoring , places the planning phase in 2028-29. That’s roughly the same timeframe when IBM promises to have its Starling fault-tolerant quantum computer operational.
With Q-day approaching fast, Ferguson urged action on three critical fronts: proactive inventorying, secure procurement, and crypto-agility to ensure organizations can adapt quickly as quantum threats materialize.
(Source: Infosecurity Magazine)

